kdc: Improve warn_ticket_addresses feature

- Don't log "Request from wrong address (ignoring)".
 - Add "wrongaddr=yes" kv to final log message.
 - Add request and ticket addresses (up to 3) to final log message.

kdc/kerberos5.c

@@ -2199,10 +2199,13 @@ _kdc_as_rep(astgs_request_t r)
 	goto out;
     }
 
+    if (b->addresses)
+        _kdc_audit_addaddrs((kdc_request_t)r, b->addresses, "reqaddrs");
+
     /* check for valid set of addresses */
     if (!_kdc_check_addresses(r, b->addresses, r->addr)) {
         if (r->config->warn_ticket_addresses) {
-            kdc_log(context, config, 4, "Request from wrong address (ignoring)");
+            _kdc_audit_addkv((kdc_request_t)r, 0, "wrongaddr", "yes");
         } else {
             _kdc_set_e_text(r, "Request from wrong address");
             ret = KRB5KRB_AP_ERR_BADADDR;

kdc/krb5tgs.c

@@ -1351,9 +1351,11 @@ next_kvno:
 			      &ap_req_options,
 			      ticket,
 			      KRB5_KU_TGS_REQ_AUTH);
+    if (ticket && (*ticket)->ticket.caddr)
+        _kdc_audit_addaddrs((kdc_request_t)r, (*ticket)->ticket.caddr, "tixaddrs");
     if (r->config->warn_ticket_addresses && ret == KRB5KRB_AP_ERR_BADADDR &&
         *ticket != NULL) {
-        kdc_log(context, config, 4, "Request from wrong address (ignoring)");
+        _kdc_audit_addkv((kdc_request_t)r, 0, "wrongaddr", "yes");
         ret = 0;
     }
     if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) {
@@ -2396,10 +2398,11 @@ server_lookup:
     if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) {
         if (config->check_ticket_addresses) {
             ret = KRB5KRB_AP_ERR_BADADDR;
+            _kdc_audit_addkv((kdc_request_t)priv, 0, "wrongaddr", "yes");
             kdc_log(context, config, 4, "Request from wrong address");
             goto out;
         } else if (config->warn_ticket_addresses) {
-            kdc_log(context, config, 4, "Request from wrong address (ignoring)");
+            _kdc_audit_addkv((kdc_request_t)priv, 0, "wrongaddr", "yes");
         }
     }
 

kdc/process.c

@@ -94,6 +94,30 @@ _kdc_audit_addkv_timediff(kdc_request_t r, const char *k,
     heim_audit_addkv_timediff((heim_svc_req_desc)r,k, start, end);
 }
 
+/*
+ * Add up to 3 key value pairs to record HostAddresses from request body or
+ * PA-TGS ticket or whatever.
+ */
+void
+_kdc_audit_addaddrs(kdc_request_t r, HostAddresses *a, const char *key)
+{
+    size_t i;
+    char buf[128];
+
+    if (a->len > 3) {
+        char numkey[32];
+
+        if (snprintf(numkey, sizeof(numkey), "num%s", key) >= sizeof(numkey))
+            numkey[31] = '\0';
+        _kdc_audit_addkv(r, 0, numkey, "%llu", (unsigned long long)a->len);
+    }
+
+    for (i = 0; i < 3 && i < a->len; i++) {
+        if (krb5_print_address(&a->val[0], buf, sizeof(buf), NULL) == 0)
+            _kdc_audit_addkv(r, 0, key, "%s", buf);
+    }
+}
+
 void
 _kdc_audit_trail(kdc_request_t r, krb5_error_code ret)
 {

tests/kdc/check-bx509.in

@@ -589,7 +589,7 @@ ${kgetcred} -H HTTP/${server}@${R} ||
 KRB5CCNAME=$cache $gsstoken HTTP@$server | KRB5_KTNAME="$keytab" $gsstoken -r ||
     { echo "Trivial offline CA test failed (gss-token)"; exit 2; }
 
-grep 'Request from wrong address .ignoring' ${objdir}/messages.log ||
+grep 'REQ.*wrongaddr' ${objdir}/messages.log ||
     { echo "KDC not warning about requests from wrong address"; exit 2; }
 
 echo "Fetching a Negotiate token"